Additionally, Adobe provides the Customization Tool which can be used to customize nearly every aspect of the installation and product settings, including accepting the EULA, disabling upsell (“Buy this tool now!”), and a silent installation with absolutely no UI. I’ve used it to customize my Reader DC installations for all computers on our network.

Welcome to the first of many posts about Palo Alto Firewalls. This post will go over using a physical Palo Alto Firewall.

The model I will be using is a PA-200 with a PAN-OS of 8. As long as you use the same OS the screenshots should look identical. Older versions of PAN-OS should be similar or the same.

Palo Alto Firewalls have two “Planes”. They have the Management Plane and the Data Plane. These concepts are important to understand when setting up the device.

Management Plane – Is essentially tied to the Management Port. It will have it’s own IP address, DNS and Default Gateway. In order to update your firewall, you will need to make sure the Management Plane/Port is set up correctly. This post will go over these tasks

Data Plan – The data plane is the area in which the data flows. Typically the External Port will have a default gateway as well. This post will not cover this.

I will be creating a LAB setup that will be a subset of an existing network. The purpose of this setup is to allow you to play and work with a Palo Alto firewall from the comforts of a working network.

The first thing you need to know when setting up a Palo Alto is that the device’s management port is set to the IP address of 192.168.1.1.

If you plan to plug this port into your existing network and your IP range is also in 192.168.1.1 you will need to change this IP address by plugging a computer directly into the Managment port rather then plugging the management port into your existing network infrastructure.

My network is not part of the 192.168.1.X network so I will plug my Palo Alto management port into a switch and make sure that the Palo Alto device and Computer are on the same VLAN/Physical Network.

I will change my IP address from it’s 192.168.101.x network address to 192.168.1.2 /24. Doing this will allow my machine to talk with the Palo Alto firewall.

Open your favorite browser (I find Chrom works the best) and go to https://192.168.1.1

You will be greeted with a warning that you are using a private cert instead of cert from a certificate authority. Tell your browser it is ok.

You will see the login page for the Palo Alto firewall. The default username and password is:

user: admin

pass: admin

When you have entered the login credentials click “Log In“.

You will see a warning that you haven’t changed the default password yet. Click “OK”

Click the Device Tab

To change things like

Hostname

Domain

Time Zone

Time

Click Setup – Management TAB and then the General Settings Cog icon.

A window will pop open and you can enter the information. Here is an example of what I entered into the Palo Alto Device. When done click “OK”.

Please note that this setting and the rest of the settings we change will not be applied on the Palo Alto Firewall until I have hit commit!

Next we will update the DNS servers that the Management Plane. To do so stay in the setup section and click the Service TAB – then click the Services Cog

The next things we will change is the IP address of the Management Port. To do this stay in the setup section. Click the Interfaces TAB – Click Managment Interface.

As we have seen the default IP address is 192.168.1.1. We can specify the IP Address to be DHCP (only newer versions of PAN OS allow for this!) or a static IP address. Here is how I setup my device:

The next thing we will need to do is change the default password of your Palo Alto Firewall. To do this click on:

Device TAB – Click Administrators Section – then click on admin

Change the password to your liking:

Now that we have finished the basic setup of the Palo Alto Firewall we will now need to commit our settings.

PLEASE NOTE – Since we are changing the IP address from 192.168.1.X network to the 192.168.101.x Network the progress bar will never reach 100%. The reason for this is the browser won’t be able to update progress bar to 100%. This “issue” is pretty typical on network devices that are being configured via it’s web managment. If you were using the command console it would complete as expected.

In my instance, the device got to 98%. Click Close.

You can now switch your computer’s IP address back to its normal network and you should be able to talk to the Palo Alto on the new IP address!

When you log in it is good to verify that the settings you have entered were applied. Notice right away you can tell the device was named propperly and that we are now logging in from the new network in the logs.

The last thing we should do is check our ability to SSH into our device and test connectivity using Ping and trace Route.

Open your favorite SSH client I use PuTTy. Enter the settings into the client. Here is mine:

accept thew SSH Key:

Log into the box using your username and password you enter into the Web Interface.

The first thing we want to do is ping google.com. The command to do this is:

ping host google.com

You should see that the name is resolved using DNS and that the box should be able to ping the server:

Do you have a live port that wasn’t documented? Normally if you had a huge budget you might have a Fluke device on hand. Unfortunately, not everyone can afford a Fluke Testing Device.

For this article, you will need to have a laptop with Wireshark installed.

Plug in the laptop and start Wireshark. Once you start Wireshark you will want to start the packet capture on the network card that is attached to the port in question.

Once you see that traffic is flowing you should enter the “Filter Expression”:

CDP

If you leave Wireshark up and running long enough you will see only the CDP packets start to come in.

The CDP packets will tell you many things. Some of the most useful things are:

Device ID – This is the name of the switch

Software Version – Firmware Version of the switch

Addresses- IP address of the switch

Port ID – The switch port the computer is plugged into

Cluster Management

VTP Domain info

VLAN info

Duplex Info

Management IP address of switch

Here is what you might see:

Once you have one packet captured that is all you will need. Stop the packet capturing and take a look at the first packet.

There will be 4 Main sections of the packet. The section we are going to care about is: “Cisco Discovery Protocol”.

If it isn’t already open please do so now. Scroll down until you see:

Depending on the make and model you might see FastEthernet, GigabitEthernet or just plain Ethernet. The 1/0/4 says the name of the port on the switch!

NOTE- You could also write down the MAC address of the laptop, log into the switch console and look the Mac Address up in the ARP cache. What is nice about the Wireshark method is that you can get this info without having login credentials for the switch!.

I was getting the error message “Error: 0xc1420117” when I tried unmounting a wim file.

To give you a little background about my machine…

It’s is a Windows 2012R2 server with WDS, MDT installed. I installed MDT I needed to install Microsoft ADT which also includes Dism.

If you open a command and run dism the program just runs.

After a little bit of fooling around, I noticed the system had TONS of dism files on it. To resolve the issue you need to run the most up-to-date version. A way to check which dism files are on your computer is to open a command prompt and type:

dir C:\dism.exe /s /a

The output will look similar. Notice how the file in the C:\deploymentShare\Servicing\x64 has the most recent file where as the Windows\System32 dism file was made back in 2014.

Using the most recent version of dism I then ran the commands:

dism /Cleanup-Mountpoints

dism /unmount-wim /mountdir:C:\dismmount /discard

NOTE – My mount drive is “C:\Dismount”

Hopefully, this will help you successfully fix your Dism Error: 0xc1420117